VeraCrypt Security Audit Concludes Despite Rocky Start

VeraCrypt 1.19 released to fix 8 critical issues. The VeraCrypt project has released version 1.19 to fix a series of security flaws discovered during a recent security audit paid the Open Source Technology Improvement Fund (OSTIF).

The security audit, which took place between August 16 and September 14, 2016, had analyzed VeraCrypt 1.18, a cross-platform software package that helps users encrypt their entire hard drives against unauthorized access.

“Disappearing emails” incident didn’t stop the security audit

After the TrueCrypt project shut down in 2014, VeraCrypt has become the go-to solution for encrypting entire computers. This was one of the reasons why OSTIF chose to audit VeraCrypt in early August following an influx of funds from DuckDuckGo and VikingVPN donations.

OSTIF hired French security firm QuarksLab to perform the audit. Despite noticing that four critical emails regarding the VeraCrypt audit had mysteriously disappeared in mid-August, OSTIF decided to go through with the security check-up regardless.

A month after the security audit concluded, the VeraCrypt team published yesterday version 1.19, which fixed eight issues labeled as critical, three medium, and fifteen low-level vulnerabilities.

VeraCrypt 1.19 fixes 26 security flaws

First and foremost, the team has removed the ability to encrypt user data via the GOST 28147-89 algorithm, which they deemed insecure. The algorithm is still included with VeraCrypt 1.19, to support already encrypted computers, but users won’t be able to deploy it anymore.

Secondly, the team replaced the older and insecure XZip and XUnzip libraries with the modern libzip library instead.

Third, the VeraCrypt bootloader component also received updates, aimed to harden its code against external exploitation and data collection.

Last but not least, security researchers also fixed an issue in the boot password mechanism that allowed an attacker to determine password length.

Since not all the issues discovered in VeraCrypt could be patched without breaking backward compatibility with the TrueCrypt project, the team has published a series of recommendations on VeraCrypt’s documentation page to mitigate possible attack vectors.